【性价之王】	【线路之王】	【价格之王】	【配置之王】
【免费之王】	【香港首推】	【梯子之王】	【独服之王】

crazyssl去年就出过一年通配符SSL证书的活动，今年活动又来了，有需要的朋友不要错过了，这个是个自家提供的全球信任的TrustOcean Wildcard SSL通配符 1年有效期，依然全球信任，实则为付费证书免费促销活动。

- 1年365天有效期 0元 拿到您的通配符SSL证书
- 避免欺诈订单检测，先注册确认邮件，
- 申请第二个证书之前需要配置并签发之前的免费证书
- 自家品牌网站上线，欢迎吐槽提建议
- 更有其他的全球最低价品牌SSL证书列表

官方网站

https://www.crazyssl.com/

SSL配置教程

让你的站点获得 SSL 配置达到 A+水平

nginx 配置，只贴出 SSL 相关，需要将配置放到 server {} 位置。

首先开启 ssl

listen 443 ssl;server_name www.example.com;ssl on;ssl_certificate /etc/ssl/certs/ssl-bundle.crt;ssl_certificate_key /etc/ssl/private/www_example_com.key;

12345

listen 443 ssl;server_name www.example.com;ssl on;ssl_certificate /etc/ssl/certs/ssl-bundle.crt;ssl_certificate_key /etc/ssl/private/www_example_com.key;

其中 ssl-bundle.crt 是网站证书，www_example_com.key 是证书私钥，如何获取这两个文件，请自行搜索。

需要注意的是，大部分 CA 提供的证书都是多级，所以可能需要我们把多个证书合并成一个，这样可以减少浏览器额外下载中间证书的次数。

生成 dhparam.pem

$ openssl dhparam -out dhparam.pem 4096

1	$ openssl dhparam -out dhparam.pem 4096

配置到 nginx

ssl_dhparam /etc/ssl/certs/dhparam.pem;

1	ssl_dhparam /etc/ssl/certs/dhparam.pem;

协议和 ciphers 选择，ciphers 的选择比较关键，这个配置中的 ciphers 支持大多数浏览器，但不支持 XP/IE6 。

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_stapling on;ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";ssl_per_server_ciphers on;

1234

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_stapling on;ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";ssl_per_server_ciphers on;

ssl session 配置

ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;

12	ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;

HSTS 配置，这个对评分影响也比较大，但如果开启这个，需要全站开启 HTTPS 。

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

1	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

完整配置文件

server { listen 443 ssl; server_name www.example.com; ssl on; ssl_certificate /etc/ssl/certs/ssl-bundle.crt; ssl_certificate_key /etc/ssl/private/www_example_com.key; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_stapling on; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; ssl_per_server_ciphers on; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; location / { # pass }}

123456789101112131415161718

server {        listen 443 ssl;        server_name www.example.com;        ssl on;        ssl_certificate /etc/ssl/certs/ssl-bundle.crt;        ssl_certificate_key /etc/ssl/private/www_example_com.key;        ssl_dhparam /etc/ssl/certs/dhparam.pem;        ssl_session_cache shared:SSL:10m;        ssl_session_timeout 10m;        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;        ssl_stapling on;        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";        ssl_per_server_ciphers on;        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";        location / {                # pass        }}

更新：

请移步Mozilla SSL配置生成器

[免费软件]历史优惠活动内容

Technitium MAC Address Changer免费软件快速修改Win系统MAC